Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Sefnit over Tor was slowly squashed as administrators took steps to push users to upgrade to a newer version of the Tor client that included a new handshake feature that replaced the one being used by the malware. Microsoft updated a number of its security products by November, including Microsoft Security Essentials, Windows Defender and the Malicious Software Removal Tool, to mitigate Sefnit and remediate machines infected with the Sefnit-related Tor service.

At its peak, more than five million machines on average were connecting to the Tor network, up from an average of fewer than one million. By the end of 2013, Tor metrics showed that number dropping to around 2 million.

The Sefnit authors have now countered, re-launching another version that has shunned Tor as a communication protocol and spreads via more traditional means. Researchers at Facebook found the variant and along with researchers at Microsoft have dug under the covers of Sefnit.BW and learned that this version is also being used for click-fraud as well as Litecoin mining. The malware opens a backdoor connection to a number of malicious domains where more malware can be uploaded to infected machines.

The original malware, also known as Mevade, was ultimately found out to be a click-fraud and Bitcoin mining scheme.

The new variant, like the previous one, is delivered by a phony application called File Scout developed by the malware authors.

Facebook said yesterday that in March and April FileScout was dropping a NullSoft installer on infected machines that dropped two executable files that ultimately uses SSH as a communication protocol.

The first file drops two dlls called winthemes and themes respectively. Both attach themselves to the Windows registry that ping out and attempt to connect to one of eight command and control servers, all of which were registered on March 27.

The first file then creates a directory in which it drops three more dlls called startup, run and channel; the SSH capabilities for C&C communication are built into the channel dll, which connects to sbc at kitiapgub[.]net over port 443. Facebook said this connection uses the same embedded keyfile that was used in the initial Sefnit infections over Tor in September.

“Using static details about channel.dll, such as its exported function name of check_update and its imphash, we were able to identify 7 additional channel.dll variants in the wild,” Facebook said.

The second file drops an updater dll that calls out to a domain, axnize[.]net; the email used to register this malicious domain was also used to register 10 other domains, Facebook said, some of which are the same domains used by the themes dll.

Microsoft’s Geoff McDonald, who did some of the early research on Sefnit, said that the malware can be spread by other malware, or bundled with software available on peer-to-peer networks. The primary monetization method is click fraud, McDonald said, adding that the primary indicators of compromise are the SSH connection over 443, in addition to performance downgrades because of the Litecoin mining.

“We have seen Sefnit using the 3proxy service to proxy HTTP traffic to emulate a user browsing the Internet and clicking on advertisements,” McDonald said.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.